Posted by yabones 11 hours ago
I encourage everyone to run a hardware router. A cheap dedicated wired router can be had for $50. Run PfSense or the vendor firmware . It’s very rewarding. Also a long term investment since routers tend to last for many years while wifi standards are revised every year or so .
Any computer with a single network interface, maybe even an (old) laptop, can be used. Anything x86 from at least the last 10 years is energy efficient and fast enough to route at gigabit speed. If you don't care about energy usage, any x86-based computer from the last 20 years is fast enough.
The magic trick is to use VLANs, which require switches that support VLANs, which can be had for cheap. VLANS also allows you to create separate isolated networks for IoT or other 'less secure' or untrusted devices.
I’ve always made my own routers by using low-power devices running Linux (Debian) with IPtables and now NFtables.
No special router OS or software required.
Highly recommend.
P.S. that single network interface is very likely never a bottleneck because network interfaces are full-duplex. Only when your router is also your file server (not recommended), internet traffic and file server traffic could start to compete with each other.
The "router on a stick" paradigm using VLANs to a share a single physical port is perfectly valid. You're creating a "now you have two problems" scenario in which you need a VLAN-capable switch and have VLAN configuration to make.
I typically like the ISP router on a dedicated router port to make monitoring the physical link and/or cycling the physical link easier.
Unless your ISP is >1Gbps adding a second port to most devices is as easy as adding a USB NIC.
There are 2.5 Gbps, 5, and even 10 Gbps USB NICs these days, although 10 Gbps ones are pretty expensive and require really recent USB ports.
I agree I want my local network and my WAN port separate, if for no other reasons than so I can use ssh to get into the router from my LAN with the WAN port disabled.
VLAN hopping is only possible due to misconfiguration. I'd like to be proven otherwise if that's not the case. VLANs are used EVERYWHERE where it matters. And no, the single port is absolutely not a bottleneck because the port is full-duplex.
If you're trying to push close to a gigabit up and down simultaneously that single port will become a bottleneck. I agree for most typical use cases it is not a concern.
Both get 500Mbit.
Bottleneck.
Ideally the PI also should to what the extra DSL Modem does… but I guess that's where the dram must stop. :D
This of course means you need a VLAN-aware switch that this single ethernet port can plug into, configured as a VLAN trunk (in Cisco terms) port. You would then want to configure one of the other switch ports as a VLAN access port assigned to VLAN 100 (untagged). This is the port you would plug your cable modem into. Then (in the simplest example) you could assign all the rest of the switch ports to VLAN 200 (untagged), and you would plug all your LAN devices into them.
But you might want VLANs anyway, so it's an interesting thing to consider.
Extra NICs move forwarding work into the host, and you pay for that in CPU time. If you care about isolation and wire-speed, buy a cheap managed switch instead of stuffing more NICs into the box.
What’s the cheapest (new) computer that can drive a 1Gb port with NAT? With a busy encrypted (wireguard?) connection?
[I don’t think qos has a lot of use in the domestic environment; sure, someone here does it but I think it’s much less mainstream than the features I already mentioned. ]
Such a device could drive my home. But in a couple of years I suspect I’ll want 2Gb or 10.
In the past I’ve tended to use a device until its crappy power supply failed. So I guess I’m hoping for a >5 year life span/upgrade capacity.
For all I know the answer to my question is one of those passively cooled four port n100 bricks from AliExpress. Anecdata happily accepted.
What's the cheapest new computer you can find? That will work. If you have PPPoE, you need to be a bit more careful; depending on your OS and NICs, it's possible for inbound traffic to only use one core; low power laptop cpu may not have enough throughput from a single cpu, but my information is a little dated.
I did 1G NAT on a dual core haswell [1] for a long time.
[1] https://www.intel.com/content/www/us/en/products/sku/82723/i...
Depending on details, it can go higher (e.g. without the ipsec being handled on the atom box, and using the 10G ports built into the chip, offload becomes helpful for TCP and UDP flows).
This is traffic in one 10G port and out the other, in this case. Multiport flows were not tested since they were out of spec for the use case.
This is not a one off - this is a product I built and has been tested in many deployment scenarios. (I can't provide more details due to employment reasons, and I won't name the employer)
About any n100 will do. Question is in their reliability which mostly comes down to power regulation components quality. Not performance.
One of my installs runs on a repurposed old android phone. Which has about 100 times CPU capacity of the router I write this through, and that one being cheap tplink shit still terminates wireguard at link speed which is 100Mbps. You don't need fancy gear for routing. And you don't usually need gigabit uplink because speed is limited way upstream.
But if you want "the right gear and damn the price" go get a Microtik. They are very good.
That's how you can have multi-Gbps on a router with a 200MHz MIPS CPU. Or Tbps on a router with a quad-core Xeon.